Cyberattackers have breached eBay's networks and compromised users' passwords and other "non-financial data," the online shopping website announced today (May 21). The passwords were "hashed" using one-way encryption, and financial data was stored separately from the compromised data, but all eBay users have nonetheless been advised to change their passwords immediately.
According to eBay, the data breach occurred between late February and early March and compromised users' names, hashed passwords, email addresses, physical addresses, phone numbers and dates of birth — more than enough to give an identity thief a head start.
It's not clear how many people might be affected. Thus far, eBay says it has detected no fraudulent account activity on its service due to this breach.
The intruders apparently breached eBay's database by stealing a handful of employee login credentials, which gave them access to eBay's corporate network. eBay says it detected this "about two weeks ago." The company is now working with law enforcement and "leading security experts" on an ongoing investigation.
eBay hit a bit of a snafu in announcing this data breach to its customers: Last night (May 20), a post appeared on PayPal's website, entitled "eBay Inc to Ask All eBay Users to Change Passwords," but the body of the post only read "place holder text." (PayPal is an online payment service owned by eBay.)
The post was quickly taken down, but not before prompting concern among many eBay and PayPal users who saw it. PayPal appears to be unaffected by this breach.
This morning eBay's official disclosure of the breach went live, clarifying that eBay had indeed suffered a data breach and warning users to change their passwords.
if you have an eBay account, not only should you change your eBay password, but you should also change the same password on any other online account that uses it. (It's best to never repeat passwords.)
You should also be on the lookout for email spam, since users' names and email addresses were included in the compromised data. Don't click on any links in unfamiliar emails, or even familiar emails that appear to be slightly off.